NETMAP for the local and remote network

The rules for the outgoing and incoming queries have been created.

NETMAP with SCALANCE S615 3.3 NETMAP for the local and remote network

3.3 NETMAP for the local and remote network

In this example, the NETMAP rules from NETMAP for the local network (Page 43)and from NETMAP for the remote network (Page 48) are combined. There is, however, a special feature with the outgoing queries. Outgoing queries, whose source IP address is translated from 192.168.20.0 to 192.168.200.0, must be able to have both the IP address

192.168.10.10 as well as 192.168.100.10 as the destination IP address. For translating the destination IP address a further NETMAP rule is required. The addresses are translated by the M876

②

and forwarded to the destination

③

.

With the incoming query both IP addresses are exchanged.

Local network > remote network:

The source IP subnet 192.168.20.0/24 is replaced by 192.168.200.0/24.

The destination IP subnet 192.168.100.0/24 is replaced by 192.168.10.0/24.

NETMAP with SCALANCE S615

3.3 NETMAP for the local and remote network

Remote network > local network:

The destination IP subnet 192.168.200.0/24 is replaced by 192.168.20.0/24 The source IP subnet 192.168.10.0/24 is replaced by 192.168.100.0/24 The two devices should also communicate with each other via a VPN tunnel.

Requirement

● The SCALANCE 800 is connected to the WAN , refer to "Connecting SCALANCE M-800 to the WAN".

● The SCALANCE M-800 can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin".

Steps in configuration

The following steps are necessary 1. Creating a VPN connection (Page 54) 2. Creating NETMAP rules (Page 56)

3.3.1 Creating a VPN connection

Procedure

1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area.

2. Activate "Enable IPsec VPN" and click "Set Values".

3. Click on the "Remote End" tab in the content area and create the VPN partner with the following settings:

On the M816 On the M876

Remote End Name M876 M816

Remote Mode Standard Standard

Remote Type Manual Manual

Remote Address Reachable via a dynamic DNS

service, e.g. example.no-ip.com Fixed IP address (WAN IP address) of the M816, e.g. 91.19.6.84

Remote Subnet 192.168.200.0/24 192.168.10.0/24

NETMAP with SCALANCE S615 3.3 NETMAP for the local and remote network 4. Click on the "Connections" tab in the content area and create the VPN connection with

the following settings:

On the M816 On the M876

Connection Name M816_to_M876 M876_to_M816

Operation Disabled Disabled

Keying Protocol IKv2 IKv2

Remote End M876 M816

Local Subnet 192.168.10.0/24 192.168.20.0/24

5. Click on the "Authentication" tab in the content area and configure the VPN authentication with the following settings:

On the M816 On the M876

Authentication PSK PSK

Local ID - -

Remote ID - -

PSK / PSK

Confirma-tion e. g. 12345678 e. g. 12345678

6. Click on the "Phase 1" tab in the content area and configure the following settings:

M816 / M876

DPD enabled

Encryption AES256 CBC (M87x)

AES256 (M81x)

Authentication SHA512

Key Derivation DH group 14

Lifetime [min]: 1440

DPD Period [sec] 60

Aggressive Mode no

7. Click on the "Phase 2" tab in the content area and configure the following settings:

M816 / M876

Encryption AES256 CBC (M87x)

AES256 (M816)

Authentication SHA512

Key Derivation DH group 14

Lifetime [min]: 1440

Result

The VPN connection on the devices is configured. To establish the VPN connection, click on

NETMAP with SCALANCE S615

3.3 NETMAP for the local and remote network

For "Operation" select the following and click "Set Values"

On the M816 On the M876

Operation wait

(Responder)

start (Initiator)

The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the LED is lit green on the devices.

3.3.2 Creating NETMAP rules

Requirement

● The VPN connection M876_to_M816_2 is configured, see Creating a VPN connection (Page 54).

● The NETMAP rules for the local network (Page 51)have been created.

● The NETMAP rules for the remote network (Page 46)have been created.

Procedure

1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area.

2. Specify the NETMAP rule for the outgoing queries with the following settings:

Type Source

Source Interface vlan1

Destination Interface IPSec M876_to_M816_2

Source IP Subnet 192.168.20.0/24

Translated Source IP Subnet 192.168.100.0/16

Destination IP Subnet 192.168.200.0/24

3. Click "Create". A new row is created in the table with the settings.

4. Click on "Set Values".

NETMAP with SCALANCE S615 3.3 NETMAP for the local and remote network

Result

The rules for the outgoing and incoming queries have been created.

NETMAP with SCALANCE S615

3.3 NETMAP for the local and remote network

Configuring a VRRPv3 4

4.1 Introduction

This section contains an example configuration that demonstrates the function of the VRRPv3. With the Virtual Router Redundancy Protocol v3 (VRRPv3), the failure of a router in a network can be countered.

To set up router redundancy, multiple devices are combined into a logical group; these devices together form the virtual router. To clearly assign the devices to a logical group, a VRID is configured for each device. The devices of a logical group must have the same VRID.

One device of the group is declared the master router, while the others are backup routers. A virtual IP address and a MAC address is assigned to this master router. The entire data traffic is handled over the master router.

If the master router fails, the virtual IP address and the MAC address are transferred to the backup router that takes on the role of the master router. This means communication is restored within three seconds.

The connected devices are oblivious to the router being adopted, because the virtual IP address that was configured as gateway address in the nodes does not change.

In this example configuration, stations 1 and 2 are to be connected redundantly to ensure data communication to and from these IP subnets even in case of a router failure.

Setup

To set up router redundancy, the stations are connected to each other over two SCALANCE S615. To do so, two VRIDs (1 and 2) are configured on both devices. Within these groups (VRID 1 and 2), the "S615_1" is the master router and the "S615_2" is the backup router.

Station 1 (vlan1) is connected over interface P1, and station 2 (vlan2) is connected over the P5 interface of the SCALANCE S615. During normal operation, the entire data traffic is handled over the interfaces of the master router.

When one of these interfaces fails on the master router, data traffic is no longer possible over the master router. The connection over the interfaces P1 and P5 is therefore monitored.

When the status of a monitored interface changes on the master router from "up" to "down", the priority of the master router is reduced. The virtual IP address and the MAC address are transferred to the backup router that takes on the tasks of the master router.

Once connection over the "S615_1" is possible again, the original priority of the VRRP router is restored. The "S615_1" once again takes on the role of master router.

The firewall is enabled on the devices by default. For the incoming VRRP packets to be forwarded to the device, you must configure a firewall rule.

Configuring a VRRPv3 4.1 Introduction

Settings used

For the configuration example, the devices are given the following IP address settings:

VLAN /

VRID Router

status Device name Interface IP address Virtual IP address (Associated IP address) vlan1 / 1 Master S615_1 P1 192.168.100.1

255.255.255.0

192.168.100.15 (VRID 1) Backup S615_2 P1 192.168.100.2

255.255.255.0

You configure the devices with the PC using Web Based Management. To do so, you must assign the IP address to the PC network adapter. In the extended TCP/IP settings of the network adapter configuration you have the option of adding additional IP addresses.

PC IP address Gateway

PC1 192.168.100.20 VRID 1: Virtual IP address: 192.168.100.15 PC2 192.168.2.20 VRID 2: Virtual IP address: 192.168.2.15

Configuring a VRRPv3 4.2 Creating IP subnet

Note

The IP settings used in the configuration example were freely chosen.

In a real network, you would need to adapt these IP settings to avoid possible address conflicts.

Requirement

● The SCALANCE S615 is connected to the WAN, refer to "Connecting SCALANCE S615 to the WAN (Page 9)".

● The SCALANCE S615 can be reached via the PC and you are logged in to the WBM as a user with the role "admin".

Steps in configuration

The steps always have to be executed on both devices, unless you are expressly instructed to do otherwise.

1. Create IP subnet (Page 61) 2. Configure VRRPv3 (Page 63) 3. Create firewall rules (Page 67) 4. Verify VRRPv3 (Page 68)

4.2 Creating IP subnet

The SCALANCE S615 has five ports with the following factory settings: 

● P1 to P4: vlan 1 for access from the local network (LAN) to the device. 

● P5: vlan 2 for access from the external network (WAN) to the device.

The VLANs are in different IP subnets. To integrate the SCALANCE S615 into the network of the application example, the settings are adapted accordingly.

Procedure

1. Click on "Layer 3 > Subnets" in the navigation area and on the "Configuration" tab in the content area.

2. Enter the IP address for the internal network ("vlan1") in accordance with the table

"Settings used (Page 59)".

3. Click on "Set Values".

The IP address is adjusted automatically in the address bar of the Web browser.

Configuring a VRRPv3 4.2 Creating IP subnet

4. Click on "Layer 3 > Subnets" in the navigation area and on the "Configuration" tab in the content area.

5. For "Interface (Name)" select the entry "vlan2 (EXT)".

6. Enter the IP address for "vlan2 (EXT)" according to the table "Settings used (Page 59)".

7. Click on "Set Values".

Result

The IP subnets are created in both SCALANCE S615 and are displayed in the "Overview"

tab.

Overview of the configuration on the S615_1:

Overview of the configuration on S615_2:

Configuring a VRRPv3 4.3 Configure VRRPv3

4.3 Configure VRRPv3

4.3.1 Create VRRPv3 router

Procedure

1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Router" tab in the content area.

2. Select the setting "VRRPv3". Confirm the message with "OK". The procedure is described in the section "Creating firewall rules for VRRP (Page 67)".

3. Select the setting "VRID-Tracking".

4. Click on "Set Values".

5. For "Interface", select the entry "vlan1".

6. Enter 1 for "VRID" and click "Create".

7. For "Interface", select the entry "vlan2".

8. Enter 2 for "VRID" and click "Create".

9. Click on "Set Values".

Result

Two logical groups have been created on the devices.

4.3.2 Configure VRRPv3 router

This section describes how to configure the VRRPv3 routers. The S615_1 is configured as master router and the S615_2 as backup router in this case.

Configuring a VRRPv3 4.3 Configure VRRPv3

Procedure

1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Configuration" tab in the content area.

2. For "Interface / VRID" select the entry "vlan1 / 1".

3. Configure the virtual router VRID 1 with the following settings:

S615_1 S615_2

Interface / VRID vlan1 / 1 vlan1 / 1

Primary Address 0.0.0.0 0.0.0.0

Because only one subnet is configured on this VLAN, no entry is necessary. The entry is then 0.0.0.0.

Priority 150 100

Reduce Priority 60 60

4. Click on "Set Values".

5. Configure the virtual router VRID 1 with the following settings:

S615_1 S615_2

Interface / VRID vlan2 / 2 vlan2 / 2

Primary Address 0.0.0.0 0.0.0.0

Because only one subnet is configured on this VLAN, no entry is necessary. The entry is then 0.0.0.0.

Priority 150 100

Reduce Priority 60 60

6. Click on "Set Values".

Result

The virtual routers have been created. The configuration is identical on both devices.

Overview of the configuration on the S615_1:

Configuring a VRRPv3 4.3 Configure VRRPv3 Overview of the configuration on S615_2:

4.3.3 Specifying the virtual IP address

A virtual IP address is assigned for each VRID so that the connected devices are not aware of the change. This virtual IP address is entered as gateway address in the devices.

Procedure

1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Address Configuration"

tab in the content area.

2. For "Interface / VRID" select the entry "vlan1 / 1".

3. In "Associated IP Address", enter the IP address "192.168.100.15".

4. Click "Create".

5. For "Interface / VRID" select the entry "vlan2 / 2".

6. In "Associated IP Address", enter the IP address "192.168.2.15".

7. Click "Create".

8. Click on "Set Values".

Result

The corresponding virtual IP addresses are specified.

Configuring a VRRPv3 4.3 Configure VRRPv3

4.3.4 Configuring interface monitoring

The interfaces P1 and P5 are to be monitored.

Procedure

1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Interface Tracking" tab in the content area.

2. For "Interface" select the interface "P1".

3. For "Track-ID" enter the ID 1.

4. Click the "Create" button.

5. Repeat steps 2 to 4 for the interface "P5".

6. For "Track-ID", select "1".

7. Enter "1" for "Track Interface Count" and click "Set Values".

Result

The interfaces are tracked.

The "Track Interface Count" 1 means that when the connection status at an interface changes from "up" to "down", the priority of the assigned VRRP router is reduced.

You configure the value by which the priority is reduced on the page "Layer 3 > VRRPv3 >

Configuration". When the connection status changes back from "down" to "up", the original priority is restored.

See also

Configure VRRPv3 router (Page 63)

Configuring a VRRPv3 4.4 Creating firewall rules for VRRPv3

4.4 Creating firewall rules for VRRPv3

For the incoming VRRP packets to be forwarded to the device, you must configure the following firewall rules.

Procedure

Create IP protocol

1. Click on "Layer 3 > Firewall" in the navigation area and on the "IP Protocol" tab in the content area.

2. For "Protocol Name" enter "VRRP".

3. Click on "Set Values". A new entry is generated in the table.

4. Enter "112" in "Protocol Number".

5. Click on "Set Values".

Creating IP Rules

1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area.

2. Click "Create". A new entry is created in the table.

3. Configure the firewall rule for VRID1 with the following settings:

Action Accept

From vlan1 (INT)

To Device

Source (Range) 0.0.0.0/0 (all addresses) Destination (Range) 224.0.0.18/32

Service VRRP

4. Click on "Set Values".

5. Click "Create". A new entry is created in the table.

6. Configure the firewall rule for VRID2 with the following settings:

Action Accept

From vlan2 (EXT)

To Device

Source (Range) 0.0.0.0/0 (all addresses) Destination (Range) 224.0.0.18/32

Service VRRP

7. Click on "Set Values".

Configuring a VRRPv3 4.5 Verify VRRPv3

Result

The IP rules have been created.

4.5 Verify VRRPv3

Procedure

1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Router" tab in the content area.

Result

Overview of the configuration on the S615_1:

Overview of the configuration on S615_2:

For master address, the IP address of the S615_1 is displayed.

Configuring a VRRPv3 4.5 Verify VRRPv3

Configuring a VRRPv3 4.5 Verify VRRPv3

In document SIMATIC NET. Industrial Ethernet Security SCALANCE S615 Getting Started. Preface. Connecting SCALANCE S615 to the WAN (Page 52-0)